Beruflich Dokumente
Kultur Dokumente
Abstract - VANET based information systems have considerable participation of public agencies including national, state and
promise for improving traffic safety, reducing congestion and local transportation authorities such as the US Department of
increasing environmental efficiency of transportation systems.
Transportation (USDOT), the Federal Highway Association
However, the potential of these systems will not be realized until the
(an office of the USDOT), state departments of transportation
issue of network security is fully resolved. In this paper, we introduce
a security scheme called Temporary Authentication and Revocation or city and regional transportation agencies, which will
Indicator for VANETs. Using analytical and simulation based primarily be interested with improvements in public safety and
analyses, we examine the timing delay incurred by TARI and other congestion reduction. Further, it may well be that commercial
security metrics. We demonstrate that TARI is efficient enough to be
traffic will be unwelcome across networks delivering safety
deployed in safety critical VANET applications and can scale to dense
networks with many vehicles competing for broadcast air-time. and congestion critical messages to drivers in crowded traffic
networks.
I. INTRODUCTION Deploying successful large scale VANETs hinges on the
ability of these systems to absolutely guarantee the reliability
Traffic congestion and accidents continue to take a toll on
and security of all messages relayed. Our work focuses on
our society, with congestion impacts costing drivers enormous
both of these dimensions. In earlier research we examined the
amounts of time and accidents resulting in around 40,000
performance of broadcast communication and sought to
fatalities per year in each of the US and Europe [1] [2]. Further,
improve its reliability by explicitly incorporating fundamental
the number of fatalities each year in China alone is more than
relationships of traffic flow [4] to adjust the transmission
twice the number in the US and Europe because of its higher
power. Here we examine mechanisms for securing vehicular
population. Vehicle to vehicle (V2V), Vehicle to infrastructure
networks with message authentication. While many safety
(V2I), Infrastructure to vehicle (I2V) and Vehicle to pedestrian
applications exist, we focus on those in which communication
(V2P) communication systems have considerable promise for
is event driven rather than those in which it is periodic (such as
improving traffic safety, reducing congestion and increasing
cooperative adaptive cruise control or curve speed warning).
environmental efficiency of transportation systems. However,
We include single-hop broadcasting applications for both V2V
the potential of these systems will not be realized until the
and V2I communications. Representative applications of
issue of network security is fully resolved. Communication and
interest are shown in Table 1 [3] [5].
network security in Vehicular Ad hoc Networks (VANETs)
share some challenges in common: 1) Vehicles operate in a TABLE 1. REPRESENTATIVE SAFETY APPLICATIONS
dynamic network moving at fast speeds and may have very Safety Applications Communication Requirements
short connectivity time windows; and 2) communication and Comm Hop Latency Comm
security mechanisms need to be available even with an initial Type Traversal (msec) Range
(meters)
low market penetration rate of Dedicated Short Range Intersection Collision Single-
Communication (DSRC) enabled inter-vehicle communication. V2V ~100 ≤ 300
Warning hop
A review of the primary VANET applications is provided in Single-
Pre-Crash Sensing V2V ~20 ≤ 50
hop
[3]. These are classified as safety, convenience and commercial
Transit Vehicle Signal Single-
applications. Our interest lies primarily in safety applications, V2V ~100 ≤ 1000
Priority hop
with a secondary interest in those providing convenience (note Approaching Emergency
V2V
Single-
≤ 1000
~1000
that this category includes real-time traffic information in Vehicle Warning hop
addition to services such as parking availability and location
notification). While commercial applications may indeed Message authentication is one of the most important
provide a tertiary benefit to automobile drivers, it seems likely requirements for VANET security. Digital signature is the
that by the time VANETs are fully functional, most of these most widely accepted solution for message authentication [6].
applications will already be fairly mature and will rely on Each message is digitally signed before transmission and its
cellular communication systems or other wireless technologies. signature is verified before the message is taken under
In addition, deploying functional VANETs will require the consideration. Since safety messages are sent out periodically
by participating vehicles, in a dense network, a vehicle’s on- mentioned security requirements. Since subsequent V2V
board unit (OBU) may receive hundreds of such messages in a communication uses the same temporary key for authentication,
short time span. The ability to verify these digitally signed the TACK scheme also provides short-term linkability, a
messages quickly presents some challenges for OBUs since in desirable property in some applications [13].
order to keep the cost low, OBUs have limited computation Other recent works [14] and [15] discuss the extensive
power. A typical OBU has a 400MHz CPU [7]. findings of the EU Secure Vehicle Communication (SeVeCom)
If an OBU cannot verify all these messages, some will not project.
be processed. These un-processed messages may contain III. SYSTEM MODEL
urgent and safety critical information. Lack of knowledge may
contribute to accidents, and even death. Thus, for a security We consider the following entities in TARI:
solution to be practical and useful, it is critical to consider MA: managing authority or root of trust. It certifies
entity capabilities and to develop a design suitable for those OBUs and RAs. A MA can consist of multiple entities
applications. that include a Department of Motor Vehicles (DMV) or
In this paper, we propose TARI (Temporary Authentication other national, regional, state and local transportation
and Revocation Indicator) for efficient authentication and authorities. MA works off-line most of the time and
revocation while meeting delay requirements in VANETs. In certifies both RA and OBU.
TARI, a symmetric key based approach is used for V2V RA: regional authority. A RA is part of the road-side
communication for efficiency in both computation and infrastructure. It stays online to process OBU requests
communication. The TARI authentication is based on TESLA and issues temporary keys for V2V communication in
broadcast authentication [8] while revocation is based on a the region. We assume the road is divided into multiple
revocation mechanism in the Certificate Revocation System [9]. regions covered by different RAs. An OBU can contact
II. RELATED WORKS at least one RA when entering a region. A RA is
certified by the MA.
Several recent papers examine security challenges in
VANETs and discuss basic mitigation measures [6] [7] [10] V: set of legitimate OBUs that have a valid certificate
[11] [14] [15]. Securing V2V communication requires several from the MA, and can use the valid certificate to get a
conflicting security properties: TARI from RA.
V’: revoked OBUs which are included in the MA's
Authenticity: to provide entity and message revocation list and do not have a valid TARI.
authenticity.
A. Goals
Privacy: to provide long-term anonymity and prevent
The goals of TARI are as follows:
tracking.
Traceability and revocation: to trace and disable Authentication. TARI should support multiple
abusing OBUs in a timely manner. authentications including OBU to RA, RA to OBU and
OBU to OBU authentication.
Multiple schemes have been proposed to achieve both Privacy. RAs or other vehicles should not be able to
authentication and anonymity. The simplest way would be to track a participating OBU on the long term.
equip each vehicle with a large set of certified public/private Traceability and revocation. An abusing OBU should be
keys during the process of yearly security inspections [11]. identified and its ability in participating VANETS
Each key would be used only for a brief period of time. should be disabled.
However, this approach is subject to Sybil attacks and would Efficiency. Cryptography used in TARI should be
also require that each vehicle be inspected each year. Another computational efficient since OBUs have resource-
is to use group signatures within VANETS [12]. However, limited processors.
group signatures are computationally expensive, making
B. Assumptions
frequent use of group signatures infeasible to meet delay
We assume a passive adversary who listens to all
requirement in safety VANET applications.
communication traffic. The adversary’s goal is to forge a valid
Recently, Studer et al. proposed the TACK scheme [13]. In
signature/message authentication code (MAC) and impersonate
TACK, Regional Authorities (RA) are used to issue temporary
a valid entity to participate in VANET communication. We do
public/private keys. The road is divided into multiple regions
not consider a compromised vehicle that is under full control of
and when an OBU enters a region, it sends an authenticated
the adversary. Further, we do not consider denial-of-service
request to the RA for a temporary anonymous certified key
attacks as it is difficult to prevent an adversary from jamming
(TACK). An OBU is equipped with a group user key and the
the wireless channel.
request is authenticated through a group signature generated by
We assume loose synchronization among vehicles in the
OBU’s group user key. A group signature allows the OBU to
same region. By loose synchronization, we mean that a
authenticate anonymously. An OBU uses TACK for
receiver does not need to know exact clock differences
subsequent V2V communication. TACK satisfies all the above
between itself and the sender. It only needs to know the upper = H(N0) where H() is a pseudo-random function (PRF) and
bound of the differences. Security of TESLA-based Hmax() denotes repeatedly applying the function H() over the
authentication is based on this loose synchronization. Many inputs max times. A TARI is a certificate issued by the RA on
schemes, including the one proposed in the original TESLA AI and RI. max is a system parameter determined by the RA
paper [8] can be used to synchronize clocks of neighboring that indicates the maximum number of time intervals a TARI
vehicles in a region. will remain valid. Suppose an OBU broadcasts a safety
The notation used in the remaining of the paper is message every 100 ms and a TARI is expected to be valid for
summarized in Table 2. two minutes, we can set max = 1200 (2 min/100 ms). The RA
TABLE 2. NOTATIONS logs all requests and issue TARIs for future tracing and
revocation.
Symbol Definition
The TARI request and generation steps are shown in Table 3.
gSign Group signature generation TABLE 3. TARI REQUEST AND GENERATION
gVerigy Group signature verification
N0 ← $ : Y0 ← $
R R
sign (normal) signature generation OBU:
verify (normal) signature verification OBU: Compute c = EncpkRA(N0, Y0)
Enc Public key encryption scheme
Dec Public key decryption scheme σ = gSignguk (c)
gpk Group public key OBU → RA: c, σ
guk Group user private key or OBU’s RA: Use gVerify to verify σ
private key
pkRA RA public key If verification is successful extract N0,Y0 from
prRA RA private key c by decrypting c using PrRA
RA: Compute RI = H (N0) and AI = Hmax (Y0)
where max is a system parameter chosen by
IV. DESIGN
RA. H(·) is a cryptographic hash function
Our design of TARI follows the structure of TACK: we use RA: Compute σ' = SignprRA (AI, RI) and TARI =
a group signature scheme to provide anonymity as well as to (AI, RI, σ')
allow tracing and revocation. Each valid OBU has a unique RA → OBU: TARI
group user key guk issued by a trusted MA. The guk is stored
on the OBU and remains there for a reasonably long period of D. V2V Communication with TARI
time. The MA records all issued group user keys. Once an Each OBU broadcasts its valid TARI periodically to the
OBU misbehaves, the MA can trace the identity of the network. Since a TARI is certified by the RA and we assume
misbehaving OBU and revoke its guk. OBUs within the region know the RA’s public key, each TARI
When an OBU enters a region, it sends a request to the can be verified by OBUs in the region. After successfully
regional authority RA for a temporary TARI. The request verifying a TARI, an OBU stores AI and RI for subsequent
contains a group signature generated by the OBU’s guk. After communication.
the RA successfully verifies the request, it issues a short-lived We divide time into transmission time periods and assume
TARI to the OBU. The TARI is used for both authentication and that a single safety message is generated during each
revocation. In the following, we show how the TARI is transmission time period (100 ms). A safety message msgi at
requested and generated and discuss how it can be used for time i has a format (AI, msgi, maci, Ki-1) where maci is the
message authentication and OBU revocation. Message Authentication Code of msgi under a symmetric key
C. TARI Request and Generation Ki.. That is: maci= MACKi(msg). An OBU generates its i-th
A TARI consists of two components: an authentication period key Ki as Ki = Hmax-i(Y0).
indicator (AI) and a revocation indicator (RI). The AI is used by TARI delays message verification by one transmission
the destination OBU to verify a message from a source OBU interval (100 ms). After an OBU receives a broadcast message
while the RI is used to disable the corresponding AI. After (AI, msgi, maci, Ki-1), it stores the message after first making
revocation, AI cannot be used to authenticate messages sure that AI is in its verified list and then uses Ki-1 to verify
generated by the source OBU. msgi-1 received in the previous transmission interval.
When an OBU enters a region, it requests a TARI from the The verification takes two steps. First, the OBU verifies Ki-1
RA in that region. The OBU first chooses two 8-byte random by comparing whether Hi-1(Ki-1) equals AI. If the two values are
numbers Y0 and N0. Then it encrypts the two values with the equal, Ki-1 is authenticated and the OBU can use it to verify
RA's public key. Finally, the OBU generates a group signature msgi-1. Since an OBU can store the latest key after it is verified,
over the encrypted AI and RI and sends them to the RA to the first step in the verification process needs only one hash
request a TARI. function invocation.
After the RA successfully verifies the OBU’s request, it E. Revocation with TARI
extracts Y0 and N0 from the received message by decrypting When an OBU is found to be misbehaving, revoking its
with its private key prRA. It then computes AI = Hmax(Y0) and RI long-term group user key is done through the revocation
process of the group signature scheme. In this section, we user key, MA will issue an updated RL containing the revoked
discuss how to revoke a TARI and the corresponding AI. OBU. Since N0 is only known to RA and OBU itself, it can
Revoking a TARI is simple and efficient. RA broadcasts a revoke an abusing OBU.
revocation message in the form of (AI, N0). When an OBU The estimated computational time for certificate creation,
receives the revocation message, it first checks whether AI is in signature generation and verification time are described in
its record list and then compares N and H(N0). A match Table 4 and Table 5 and was previously investigated by [7] and
indicates the corresponding AI or TARI is revoked. So the OBU [13].
removes the pair (AI, N) from its record list and refuses to TABLE 4. ESTIMATED TIME IN GROUP SIGNATURE AND CERTIFICATE
accept messages authenticated with AI. Since the source OBU CREATION
knows N0, it can also broadcast a revocation message (AI, N0) Operation
Computational Data Size
to do self-revocation. Self-revocation is performed when the Time (ms) (bytes)
OBU Group Sig Creation 320 228
source OBU wants to reduce the short-term linkability period. RA Group Sig Verify 36 228
RA Creation of Certificate 3.2 28
V. PERFORMANCE ANALYSIS
In this section, we first discuss how TARI meet the TABLE 5. COMPARISON OF SIGNATURE GENERATION AND VERIFICATION TIME
necessary requirements for security analysis analytically and Sig Size (bytes) Generation (ms) Verification (ms)
communication through simulation. Then, we discuss the ECDSA 28 3.255 7.617
timing analysis and how TARI meet delay constraints for NTRU 197 1.587 1.488
safety critical VANET applications. TARI 8 0.001 0.002
VII. ACKNOWLEDGEMENT
REFERENCES
[1] NHTSA, "Traffic Safety Facts," Technical Report, 2009.
[2] European Commission, "Directive of the European Parliament and
of the Council - facilitating cross-border enforcement in the field
of road safety," Technical Report, 2008.
[3] F. Bai, T. Elbatt, and G. Hollan, "Towards characterizing and
classifying communication-based automotive applications from a
wireless networking perspective," IEEE Workshop on
Automotive Networking and Applications (AutoNet), 2006.